ISC2 scheme to nurture security skills

CSSLP programme designed to improve the credentials of software developers

Training firm ISC2 has launched the Certified Secure Software Lifecycle Professional programme

Security training provider ISC2 will today launch a new certification programme designed to improve the security credentials of software developers and ultimately raise the standard of applications.

The Certified Secure Software Lifecycle Professional (CSSLP) programme is open to security professionals who can demonstrate four years of professional experience in the software lifecycle process or three years of experience and an IT degree.

"Despite hype in the press about data disclosures, according to Gartner about 80 per cent of breaches are actually caused by badly implemented or insecure software," said ISC2's European managing director John Colley.

"Attacks are now hitting the application and end-user. The security industry is realising that, while it's important to have good policies and processes, if the software has holes in it you're on a hiding to nothing."

From this month until March next year, ISC2 will run an "experience assessment process" which will help to develop an exam question base.

Subject areas covered in the process will be software concepts, requirements, design, implementation and coding, testing and deployment. The first exams will then follow in June 2009.

The organisation expects the certification in time to be as widespread and influential as its CISSP qualification, with senior management using it as part of their criteria to judge new recruits in software development, said Colley.

Graham Titterington of analyst firm Ovum welcomed the standard. "I tend to be sceptical about this type of thing but I feel quite supportive of this one, because they've recognised an area not covered in the traditional academic curriculum," he said.

"There's a lot more interest from the vendor side to improve secure software development too, so it's also timely to address this sort of thing."

Nigel Jones, director of the government-backed Cyber-Security Knowledge Transfer Network, said that commercial pressures and a developer culture focusing too heavily on functionality rather than security had led to poor software development.

"I hope the initiative will generate a body of knowledge that will be shared, because this area needs to be looked at," he said. "Some companies have developed their own lifecycle models but there is not a universal view on this. "